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SUM MARY/ABSTRACT 

A probabilistic risk assessment (PRA) approach has been developed and applied to the risk analysis of capsule 
abort during ascent. The PRA is used to assist in the identification of modeling and simulation applications that can 
significantly impact the understanding of crew risk during this potentially dangerous maneuver. The PRA approach 
is also being used to identify the appropriate level of fidelity for the modeling of those critical failure modes. The 
Apollo launch escape system (LES) was chosen as a test problem for application of this approach. Failure modes 
that have been modeled and/or simulated to date include explosive overpressure-based failure, explosive fragment- 
based failure, land landing failures (range limits exceeded either near launch or Mode III trajectories ending on the 
African continent), capsule-booster re-contact during separation, and failure due to plume-induced instability. These 
failure modes have been investigated using analysis tools in a variety of technical disciplines at various levels of 
fidelity. The current paper focuses on the development and application of a blast overpressure model for the 
prediction of structural failure due to overpressure, including the application of high-fidelity analysis to predict 
near- field and headwinds effects. 
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INTRODUCTION 

Under NASA’s Computing, Information, and Communications Technology (CICT) Program, several Grand 
Challenge Applications (GCA) were selected over a spectrum of problem types in an effort to drive end-to-end 
information technology development. In support of the CICT/ GCA objectives, a number of computational 
modeling and simulation tools suitable for application to the scenarios involved in crew abort were developed 
and/or mature codes were enhanced over the past several years. Demonstration cases involving elements of the 
abort process have been computed in support of requirements specified by Space Launch Initiative/Orbital Space 
Plane (SLI/OSP) industry partners; however, these requirements have tended to be specified in a relatively ad hoc 
manner. Out of these efforts came a perceived need for a more systematic methodology to identify the most relevant 
problems and the required level(s) of fidelity. 

During the past year NASA Ames and NASA Glenn civil servant and contractor personnel have collaborated on 
the Simulation- Assisted Risk Assessment (SARA) project. The primary objective of the project is to integrate high- 
fidelity and engineering-level multi-disciplinary analyses in response to requirements defined through the 
application of Probabilistic Risk Assessment (PRA, e.g., see Ref. 1) modeling. PRA represents a systematic 
methodology for identifying and quantifying risks that could provide valuable guidance in the assessment of 
competing crew safety concepts. These methods involve the development of risk models that establish relationships 
and dependencies among system components and the accumulation of failure data for these components. In the 
simplest approach, a failure database represents the interface between the system-level model of the process being 
addressed and the available relevant modeling and simulation tools and processes. The application of uncertainty 
and sensitivity analyses to the failure database can be used to identify gaps and/or weaknesses in the failure data 
and, consequently, requirements for analysis and/or testing. 

The Saturn V/Apollo ascent abort system was considered a suitable and relevant system for demonstration of 
the process given the current Crew Exploration Vehicle (CEV) concept. Although crew abort systems have been in 
place for capsule systems since the Mercury program 2 , these flight programs accepted substantial risks because of 
the technological and schedule limitations imposed on them. For systems with long operational histories, failure 
data may be available from experience, but for fundamentally new systems or systems with little operational history, 
modeling will almost certainly be required to either create failure data from scratch or to extrapolate failure data 
from surrogate systems. Because of the limited testing and operational application of capsule abort systems, any 
systematic assessment of the risk of a CEV capsule abort system is likely to require a substantial amount of 
modeling and simulation to support the failure database. Because many of the understood risks of the Apollo abort 
process involve complex aerodynamic effects and interactions, it was felt likely that the high-fidelity computational 
tools and processes of the type developed under CICT/GCA would be especially valuable. 

The development of data suitable for use by the PRA involves more than a few exploratory simulations and this 
poses a challenge for the application of high-fidelity methods. Therefore, even given the enormous resources of the 
Columbia computer system at NASA Ames Research Center, engineering-level methods are relied upon heavily in 
the process. One of the challenges of this project has been the development of a strategy for application of 
simulation tools of different levels of fidelity in such a way as to take best advantage of the strengths of the various 
tools. This paper will focus on the manner in which this was done in application to the problem of determining the 
risks of crew module structural failure caused by blast overpressure associated with the catastrophic failure of the 
launch vehicle. 


RISK MODEL DEVELOPMENT 

The first step in this project was the development of a high-level description of the abort process that contained 
the necessary logic to relate component-level failure modes to failures of the process or system, what was referred 
to as the risk model. The process consisted of: 1) determining the observed and potential failure scenarios associated 
with the Apollo Launch Escape System (LES), 2) developing a logical structure capable of representing these failure 
scenarios with a minimum number of basic events, and 3) capturing the structure in available PRA/fault tree 
software. 

In order to develop an understanding of the Apollo Launch Escape System sufficient to develop a PRA structure 
representing the abort process, an extensive literature search was performed for documents on the Apollo program 
in general and the Apollo LES in particular. The collection currently comprises over 160 documents of various 
types, including technical reports, system description documents, system requirements documents, operations 
manuals, press kits, and interviews with key personnel. More than a dozen disciplines are represented. A 
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spreadsheet-based database is maintained that tracks titles, authors, publication dates, disciplines, Mach regimes (for 
wind tunnel tests, etc.), configuration, etc. Not all reports included in the catalog are specifically Apollo-related, but 
all have been judged relevant to the problem in some respect. Outside risk experts were also consulted and they 
provided additional failure scenarios. 


PRA Structure 

Initially, the ascent abort risk model was cast as an event tree in which the abort process was abstracted into a 
series of “gates” or pivotal events that must be negotiated in order to have a successful abort (see Fig. 1). Each of 
the pivotal events was then supported by a fault tree - a logical structure linking the pivotal event to possible 
subsystem-level failure modes. As described in the previous section, a literature search for information regarding 
the design, testing, and operation of the Apollo LES provided much of the understanding of the potential risks in the 
abort process. Experience obtained during work on the Space Launch Initiative/Orbital Space Plane program and 
dialog with external risk experts provided additional inputs to the PRA model development. The preliminary event 
tree contained seven pivotal events represented by seven “gates” that must be negotiated to complete a successful 
abort. Fault trees were developed to break the event failure rate into potential component-related causes of failure. 
For example, the “Failure to Survive Explosion” event is broken into three causes as shown in Fig. 1. 
Approximately three dozen 
failure modes were 
identified. These represent 
the connecting points 
between the risk model and 
the failure database; that is, 
the failure database supplies 
the probabilities of failure 
for each of these modes. 

As experience with the 
model and the problem was 
acquired, weaknesses with 
the event tree modeling 
approach were observed. 

The main weaknesses were 
associated with the static 
nature of the model as 
compared to the highly 
dynamic nature of the ascent 
abort risks. The probability 
of failure at each of the gates 
was observed to be quite 
sensitive to the vehicle state 
and condition at the time of Figure 1. Conceptual risk model, 

abort. As an example, the 
risk of failure due to blast 

wave-generated overpressures declines markedly as the launch vehicle accelerates beyond the point of maximum 
dynamic pressure. Then, even if the capsule survives the blast overpressure, it may be left in a state that is 
susceptible to aerodynamic instability. For these reasons, the risk model was recast as a single fault tree. The revised 
model incorporated time-varying rates for the likelihood of an abort as well as for the factors that determine abort 
success. This model was then enhanced to enable predicting the impact of false positive signals in which an abort is 
triggered even though the vehicle is operating normally. This feature is particularly important when trading the 
reliability of an ISHM system against the performance (i.e. lead time available) of the system. In addition, all of the 
failure probabilities were incorporated in a way as to allow for uncertainty measures to be included. The 
uncertainties are also permitted to vary with time, and are incorporated via a Monte Carlo analysis module included 
within the PRA. The PRA produces time varying mean risk intensity plots, an integrated system risk number, and 
the uncertainty distribution about the integrated estimate. 



3 


Copyright © #### by ASME 


Currently, we are evaluating the potential advantages of recasting the model once again, this time within a 
significantly enhanced version of the SAFE software 3 . This approach holds promise of providing even more 
realistic modeling of the risks by enabling the user to provide functional relationships between the contributing 
failure modes and the vehicle state and to represent interdependencies between failure modes. 


Failure Rate Development Process 

Computing failure rates using high-fidelity modeling and simulation tools is a somewhat different type of 
application than is typically performed by computational researchers. In order to mitigate some of the confusion 
associated with this, an effort was made to generate a reference process, or template, for the computation of the 
failure rates. 

This process begins by identifying the type of analysis required; more often than not, this analysis is some type 
of trajectory simulation. A sensitivity analysis is used to identify important input parameters to this process and 
probabilistic models for these inputs are generated. Failure criteria are established based on the system 
requirements. Uncertainty bounds can also be applied to the failure criteria. Typically a Monte Carlo approach is 
applied to combine the effects of multiple uncertain inputs into an output distribution. Finally, this output 
distribution is compared with the failure criteria to compute a failure rate. If the output constraint is uncertain, an 
uncertainty in the failure rate is also generated. 

If data from the Apollo program was available or relevant surrogate data could be used, the first step in the 
process was to use the current tool set to reproduce that data. This validation exercise provided an understanding of 
the process required to perform the analyses, identified problems in the current codes, and occasionally identified 
problems in the historical data. 

Depending on the type of analysis process required, the sensitivity and Monte Carlo analysis could lead to 
compute requirements capable of overwhelming even the massive resources of the Columbia system. For this 
reason, an effort has been made to identify and make use of efficiencies in the process, such as lower fidelity 
models, when appropriate. 

A particularly good example of an application of the process can be found in Ref. 4 for the problem of 
determining the probability of experiencing trajectory range violations following abort separation. 

BLAST OVERPRESSURE MODEL 


Model Structure 

For the Saturn V/Apollo launch system, one of the more prominent failure modes analyzed was the possibility 
that catastrophic failure of the booster leading to detonation of the propellant could create blast wave overpressures 
sufficient to fatally damage the 
crew module. In order to 
generate failure probabilities 
attributable to this mode and 
provide other data and insight 
into the design parameters that 
critically impact the ability to 
survive this failure mode, simple 
engineering-level models were 
developed or adopted for the 
phenomena associated with this 
process. The components and 
inputs involved in the analysis of 
this failure mode are shown 
schematically in Fig. 2. The 
failure scenario couples models 
for explosive blast overpressure 
propagation with a simple LEV 
trajectory model to determine the 
overpressure experienced by the 
escaping crew module. This 
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Figure 2. Blast overpressure model components. 
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overpressure is compared with the 
capsule’s structural capacity to determine 
failure status. Both the blast and LEV 
propagation modules depend on multiple 
sub-components and/or inputs as shown in 
Fig. 2. Most, as indicated by the rounded 
rectangles, are directly or indirectly 
dependent on the trajectory and the time 
of abort. Figure 3 illustrates an example of 
the manner in which the blast propagation 
and LEV trajectory are intersected to 
determine the resulting overpressure 
experienced by the escaping crew module. 
Inherent in this model is the assumption 
that the blast does not interact with the 
LEV, i.e., that the blast overpressure 
associated with the blast is not 
significantly altered by the presence of the 
LEV. This assumption is understood to be 
of questionable validity and will be 
subject to modification in the future 
through the application of higher-fidelity 
components of the scenario modeling. 


1500 


1000 



400 600 

Time from Explosion Init, ms 

Figure 3. Illustration of trajectory intersection. 

simulation. The following sub-sections describe the most critical 


TNT-Based Blast Propagation 

At the core of the engineering method is the TNT blast propagation model. Shown in Fig. 4, it consists of a 
tabulated version of Brode’s axisymmetric 1-ton TNT simulation result 5 non-dimensionalized using Sachs scaling 6 , 
which enables the extension of the model to include altitude and explosive energy variation effects. Sachs scaling 
relates the dimensional and non-dimensional parameters as follows: 

Overpressure: OP = (p max - p^/poo 

Distance: X = x/a, where a = (Ep^/p^) 173 

Time: x = t cja , where Coo = ambient speed of sound 

In these equations, E prop is the energy of the blast and is computed, using the TNT equivalency approach, as a 
linear function of the existing propellant mass: 
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Eprop hprop l^prop EtnT 

Here, m prop is the mass of propellant in tons and E TNT is the energy associated with one ton of TNT (4.2xl0 9 J is 
used in the current model). A critical parameter in this model is the equivalency factor of the explosion, rj pr0 p. This 
parameter is a strong function of many factors, including propellant type, mass, and scenario (level of mixing, 
containment, etc.). As a starting point, values used early in the Apollo program 7 were applied for the propellant 
types involved in the Saturn V booster: t| L ox/rpi = 0.1 and t|lox/h2 = 0.6. Determination of more realistic TNT 
equivalencies was the subject of a fair amount of discussion and research at NASA Glenn Research Center (see Ref. 
8). The above values were recognized at the time as very uncertain, and probably very conservative, and remain 
uncertain for the simple reason that they are so dependent on the factors listed above. This is an indication of the 
weakness of the TNT equivalency method for deterministic predictions; however, it has still proven useful in the 
investigation of trends and sensitivities to design parameters of the abort system. For solid rocket boosters, the TNT 
equivalence is provided by a pressure vessel bursting-type function of chamber pressure and internal volume and, as 
such, is a function of time-of-abort. 

Another recognized weakness of the blast model is the near-field behavior, where the overpressure associated 
with high energy initiators such as TNT are known to be significantly higher than those associated with more 
distributed sources such as fuel-air detonations. Consequently, the TNT-based model is generally considered to 
provide a pessimistic view of the threat due to blast overpressure, at least in the near-field of the blast. Additional 
discussion of this point will be provided in the Application of CFD Methods section. 

Headwind Effects 

Along the ascent trajectory, the blast propagation process is influenced by the reduction in ambient pressure with 
increasing altitude, the reduction in fuel mass with engine bum time, and the increasing effective headwind. These 
effects act to weaken and slow the blast wave. The ambient pressure effect is accounted for through the Sachs 
scaling described earlier, but the headwinds effect requires additional consideration. As a first attempt to model the 
headwinds, a simple coordinate transformation is applied which effectively assumes the detonation center freezes in 
space at the moment of detonation, i.e., it is swept backwards with the freestream relative to the moving booster. As 
a result, the trajectories of the headwind- affected blast, D H w? and the quiescent blast trajectory, Dq, are related by: 


DhwO) - D Q (t) - Voot , 


where Voo is the launch vehicle velocity at the time of explosion. The most significant consequence of headwinds is 
the blowback of the blast as it weakens and slows to a velocity below that of the freestream. This results in a rapid 




Scaled Time, x 


Scaled Distance, X 


a) blast front propagation trajectory b) blast overpressure decay with distance 


Figure 4. TNT propagation model. 
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reduction of the threat due to overpressure as the launch vehicle velocity increases to Mach 3 and above. 

Computational simulations 9 have provided some insight into headwind effects not accounted for in the current 
approach and the possibility of converting these insights into a replacement for the current model is currently being 
investigated. Qualitatively, the simulations indicate an increased initial shock strength and increased penetration into 
the headwind, relative to the current model. Additional discussion of this effect will be provided later in the paper. 

Launch Escape Vehicle Trajectory 

The blast propagation model described is programmed using Excel® macros and is coupled to a simple, one- 
dimensional, constant-acceleration model for the escape vehicle dynamics. This model is based on a simple altitude- 
corrected model for the escape thrust and drag data as a function of Mach number for the launch escape vehicle 
(LEV). This drag information was obtained from the Apollo aerodynamic data book 10 and is for a vehicle at zero 
incidence without plume effects. Thrust at altitude, T h , is related to sea-level thrust, T S l, using the simple relation 

Th = Tsl + (pSL - ph) A X; e X it 

where p h and p S L are pressures at altitude and sea level, respectively, and A X;ex it is the axial component of the 
separation motor nozzle exit area. The variation of the axial component of weight with altitude is just W h = Wsiny, 
where y is the flight path angle at the trajectory point of interest. 

Results 

Treatment of Uncertain Inputs 

Inputs to the blast model often are subject to 
substantial uncertainty. In some cases, mean 
values with uncertainty distributions can 
plausibly be applied and the model then can be 
used to produce a failure rate with uncertainty. 

In cases where likely values for all the inputs 
cannot be specified with confidence, or where 
sensitivities to certain inputs are desired, 

“terrain maps” can be generated by performing 
the analysis for ranges of values for the desired 
parameters. For example, Fig. 5 shows the 
sensitivity of failure likelihood to combinations 
of warning time provided and explosive 
efficiency for a pad abort scenario (first stage 
detonation centered at the intertank region). 

Here, the explosive efficiency is defined as the 
percentage of the nominal r| value (again, 0.1 
for RP). Failure of the capsule boost protect 
cover is assumed to occur at a mean value of 6 pounds per square inch (psi) overpressure with a standard deviation 
of 2 psi. At this point, all that is needed to generate a failure probability are likelihood distributions for warning time 
and explosive efficiency. Even without this information, the sensitivity map provides some valuable insight into the 
regions of the parameter space that really affect the risk. Another input that has been the subject of these types of 
plots is the parameter D in i t , the location of the detonation center relative to the initial crew module location. 
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Performance of trade studies is straightforward by replacing the either of uncertain inputs with a design 
parameter. For example, Fig. 6 shows the result of assuming a 10% TNT equivalency over a range of separation 
motor thrust levels at transonic conditions. Another example is shown in Fig. 7 which was produced by variation of 
the capacity of the structure to withstand overpressure. 



Figure 6. Escape motor thrust sensitivity Fi 9 ure 7 - Structural capacity sensitivity 

(transonic abort) (transonic abort) 


Warning Time Predictions 

Since the model is coded entirely within Excel, it is easy to reconfigure to solve for other parameters. One such 
application is the determination of warning times required to successfully separate to a “safe” distance. In this 
paper, the warning time is defined as the time before actual detonation that the launch escape system must begin to 
separate. Figure 8 shows computed warning times required as a function of ascent abort time. The failure scenario 
considered is complete involvement of the Saturn V first stage in the explosion (r| = 0.1) with the detonation center 
at the intertank region. Three curves are plotted in Fig. 8:1) required warning times published in Ref. 7, from the 
Apollo era, 2) current model results including headwind effects, and 3) current model with no headwind effects. 
Near the pad, ground plane reflection effects are accounted for by doubling the explosive efficiency. The two peaks 
in the distributions are associated with the large propellant mass at the pad and the high drag hindering separation 
near transonic and maximum dynamic pressure regions of the ascent trajectory. Based on these results, and on 
further inspection of additional data of Ref. 7, it is apparent that headwind effects were not included in data from 
Ref. 7. Agreement is reasonably good through the subsonic portion of the ascent. Reasons for the degrading 
comparisons at the higher altitudes have not yet been determined as the underlying data at those conditions were not 
published in the report. 
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Application of Computational Fluid 
Dynamics 

Two recognized weaknesses in the 
integrated model are the headwind 
effects model and the over-prediction of 
the overpressure in the near- to mid-field 
of the detonation center associated with 
the TNT characteristic distribution. In 
order to examine the effects of the TNT- 
based model errors on the risk results, 
high-fidelity blast wave simulations 
were performed using the Overflow 
Navier-Stokes code 11 , which are 
described in detail in Ref. 9. A series of 
simulations was initially performed to 
establish the ability of the analysis 
process to produce standard blast 
overpressure distributions for quiescent 
air. As can be seen in Ref. 9, the 
simulations produce lower overpressures 
in the near-field, but overpressures far 
from the detonation center agree well 
with the TNT distribution. As can be 
explained by use of the shock-tube 
formula, the near-field behavior is 
sensitive to conditions in the initiating 
high temperature, high pressure sphere. 

This is consistent with the knowledge 
that a universal distribution for the 
environment in the near-field of a fuel- 
air explosion does not exist. 

Development and use of a one-parameter 

family of curves representing varying detonation velocities could provide the next level of fidelity in modeling the 
near-field blast distribution. The practicality of such an approach is currently under investigation. Additional details 
are provided in Ref. 12. 

In addition to the quiescent blast cases, Navier-Stokes simulations have been performed for determining the 
effect of headwinds on the blast propagation process. As the blast propagates, it weakens, decelerates relative to the 
freestream, and is finally blown backwards. The Navier-Stokes simulations predict a region of significantly 
increased overpressure prior to the blast wave being pushed back by the headwinds. Since the current interest was in 
the impact of these types of differences in the abort risk, the simulation data was used to replace the TNT blast and 
headwinds propagation models and the required warning times were recomputed at a few discrete Mach numbers. 
These are plotted as the open symbols in Fig. 9. The current results indicate a significant impact of the simulation- 
based headwinds on required warning time, especially in the transonic to supersonic speed regime; however, 
additional work remains to fully understand the importance of the initial conditions of the sphere used to start the 
Navier-Stokes simulations. 

Ultimately, it is envisioned that the TNT model can be replaced by families of curves, generated through 
simulations as described above, along with an improved model for headwind effects. This approach to utilizing 
high-fidelity simulations is thought to be preferable to simply performing simulations on an as-needed basis because 
it enables the rapid extension of the information to other situations for performing trade studies, risk analysis, etc. 



Mission Elapsed Time, s 

Figure 9. Effect of Navier-Stokes headwind simulations on 
warning time requirements. 


SUMMARY 

A set of tools and processes for the modeling and simulation of capsule abort events has been developed and 
integrated with probabilistic risk assessment methods for the evaluation of crew safety concepts. The capability has 
been demonstrated using the Apollo launch escape system and ascent abort approach, beginning with an extensive 
literature search for Apollo- and abort-related documents and ending with a time history of risk contribution from 
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several potential failure modes. Failure modes considered during the past year included failure caused by booster 
explosion, failure associated with trajectory range limit violations, and failure caused by re-contact with the booster 
during separation. The model for blast overpressure has been used to determine sensitivities to input uncertainties 
and explore design parameter trade space as well as produce warning time requirements for booster failure detection 
systems. The importance of the problems that were identified for analysis through the use of the risk perspective has 
been verified by NASA leadership. 
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